Back to Networking

download for Mac -- docs source

Note: here's great list of step by step walkthroughs for doing things with wireshark. Also Wireshark is the coolest, complex piece of software, very useful for learning about TCP/IP.

Wireshark is a network packet analyzer (aka packet sniffer, protocol analyzer), capturing packets and displays in detail. Basically a measurement device (think voltmeter)

Capturing Live Network Data

Set Up a Capture on HTTP requests

As an overview, TCP is the protocol used to connect the client and server, while HTTP is the protocol for transferring media files from the server to the client.

My steps for setting up a local traffic capture:

To select destination traffic: -- source

Analyze TCP Connection Traffic

Analyze HTTP Request Traffic

Let's do this again with HTTPS -- source

Further Processing of Captures

ip.addr == and ssl can be used as the filter to ignore underlying TCP communication packets, and for the IP of rubygems.org.

Comparing two capture files

Decryption using Wireshark

Wireshark can decrypt SSL/TLS communications, if it has access to the Master Key used in encrypting the data

decrypting ssl traffic from browsers

add this to .bashrc:
alias wireshark="SSLKEYLOGFILE=/Users/kevintpeng/sslkeylogs/output.log open -a firefox; sudo wireshark"

This logs your browser's SSL keys, as it generates random pub/priv key pairings on the fly for each request. This alias opens a browser that logs these keys to a file accessible by wireshark.

Wireshark > Preferences > Protocols > SSL > set path to (Pre)-Master-Secret log filename to /Users/kevintpeng/sslkeylogs/output.log

decrypting ssl for ruby